How to Detect Wire Fraud When No Two Attacks Are the Same

Fraudsters have developed a variety of methods for initiating fraudulent wire transfers, but a security approach based on data and analytics from customer behavior can be an effective countermeasure to these wire fraud schemes.

What's great about wires from a customer service perspective – their speed – is also their greatest liability. Fraudsters target wire transfers precisely because of the speed with which the money is moved, making it harder for financial institutions (FIs) to reverse the transactions. Fraudsters have launched a wide range of attacks and schemes, many of which use a combination of banking or communications channels. If the schemes work, they expand quickly. If they don’t, the fraudsters quickly change tactics and launch additional attacks. The impact on banking security professionals is the need to be constantly on guard for the latest new twist or variation.

Here are just a few of the schemes that cyber criminals have developed to complete fraudulent wire transfers. These are followed by an explanation of how behavior-based anomaly detection solutions have been proven to detect early attack indicators before any money is transferred.

1) Online Wire Request – The most common wire scheme starts with compromising an online account. The fraudster then disables security alerts or enters a new phone number or email address for confirmation, bypassing customer notifications. The fraudster then simply submits a wire request through the compromised online account.

2) Online Live Chat – A fraudster compromises an online banking account, gathers (or changes) personal information, and then engages in a live chat session with the call center to have the agent complete the wire request for him. The agent believes the fraudster is legitimate because he has successfully logged into online banking.

3) Funeral Scheme – A fraudster compromises an online banking account to view check images to get the victim’s signature. He then compromises the victim’s email account and sends a request to the FI’s relationship manager explaining that he’s out of country for a funeral and needs money for expenses. The FI emails the necessary Letter of Authority, which the fraudster receives, signs and faxes back, complete with an accurately forged signature.

4) Commercial Account Takeover – A fraudster will compromise an online banking administration account and then create a new user with the authority to approve wire requests. He submits a wire request from the administration account, and then signs into the newly created account and approves his own wire request.

5) Inside Access to the Wire System – Using a spear-phishing scheme, malware designed to compromise the back-end payment system is installed on a bank employee’s computer. The malware takes over the victim’s computer, enabling the fraudster to directly initiate a large-dollar wire transfer (there was a FBI alert from 2012 on this). This clearly is a more sophisticated attack, but the ability to steal a large amount of money makes it worth the effort to the fraudster.

These are not the most sophisticated or elaborate schemes,
but they do illustrate the range of schemes that fraudsters deploy, all of which result in a fraudulent wire. Fortunately, there is a common element that financial institutions can leverage to prevent all of these.

Detect Fraudulent Wires Using Anomaly Detection

In all of these schemes there is some online or other form of electronic banking that leaves a footprint of the fraudster’s activity. In some cases it’s submitting a wire request online, or gathering or changing information online, or using the in-house wire system. In all cases, if the fraudster’s activity were compared to the previously demonstrated behavior of the legitimate account holder, differences would emerge that could tip off the FI to the fraud scheme.

Behavior-based anomaly detection solutions monitor all banking activity for each account holder, building a profile of each user’s typical behavior. Tracked activity could include such factors as when, where, and how the user is logging in, how long it’s been since their last session, the sequence of activities during each session, plus payment amounts and payees. When the fraudster starts his reconnaissance or initiates a transaction, there will be something different, unusual, or suspicious when compared to the victim’s typical behavior. And that is when the financial institution can intervene, well before a wire request has been submitted or a transaction has been initiated.